Merge pull request #116425 from jsafrane/flip-selinux

Flip SELinuxMountReadWriteOncePod to Beta

pkg/apis/storage/fuzzer/fuzzer.go

@@ -96,6 +96,10 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 					storage.VolumeLifecyclePersistent,
 				}
 			}
+			if obj.Spec.SELinuxMount == nil {
+				obj.Spec.SELinuxMount = new(bool)
+				*(obj.Spec.SELinuxMount) = false
+			}
 		},
 	}
 }

pkg/apis/storage/types.go

@@ -409,6 +409,7 @@ type CSIDriverSpec struct {
 	//
 	// Default is "false".
 	//
+	// +featureGate=SELinuxMountReadWriteOncePod
 	// +optional
 	SELinuxMount *bool
 }

pkg/apis/storage/validation/validation.go

@@ -27,10 +27,12 @@ import (
 	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/helper"
 	apivalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 	"k8s.io/kubernetes/pkg/apis/storage"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 const (
@@ -436,6 +438,7 @@ func validateCSIDriverSpec(
 	allErrs = append(allErrs, validateFSGroupPolicy(spec.FSGroupPolicy, fldPath.Child("fsGroupPolicy"))...)
 	allErrs = append(allErrs, validateTokenRequests(spec.TokenRequests, fldPath.Child("tokenRequests"))...)
 	allErrs = append(allErrs, validateVolumeLifecycleModes(spec.VolumeLifecycleModes, fldPath.Child("volumeLifecycleModes"))...)
+	allErrs = append(allErrs, validateSELinuxMount(spec.SELinuxMount, fldPath.Child("seLinuxMount"))...)
 	return allErrs
 }
 
@@ -533,6 +536,16 @@ func validateVolumeLifecycleModes(modes []storage.VolumeLifecycleMode, fldPath *
 	return allErrs
 }
 
+// validateSELinuxMount tests if seLinuxMount is set for CSIDriver.
+func validateSELinuxMount(seLinuxMount *bool, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if seLinuxMount == nil && utilfeature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		allErrs = append(allErrs, field.Required(fldPath, ""))
+	}
+
+	return allErrs
+}
+
 // ValidateStorageCapacityName checks that a name is appropriate for a
 // CSIStorageCapacity object.
 var ValidateStorageCapacityName = apimachineryvalidation.NameIsDNSSubdomain

pkg/apis/storage/validation/validation_test.go

@@ -23,8 +23,11 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/storage"
+	"k8s.io/kubernetes/pkg/features"
 	utilpointer "k8s.io/utils/pointer"
 )
 
@@ -1657,6 +1660,8 @@ func TestCSIDriverValidation(t *testing.T) {
 	notRequiresRepublish := false
 	storageCapacity := true
 	notStorageCapacity := false
+	seLinuxMount := true
+	notSELinuxMount := false
 	supportedFSGroupPolicy := storage.FileFSGroupPolicy
 	invalidFSGroupPolicy := storage.FSGroupPolicy("invalid-mode")
 	successCases := []storage.CSIDriver{
@@ -1667,6 +1672,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1677,6 +1683,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &notStorageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1687,6 +1694,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &notPodInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1697,6 +1705,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1707,6 +1716,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1716,6 +1726,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &notPodInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1725,6 +1736,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1734,6 +1746,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:    &notPodInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &seLinuxMount,
 			},
 		},
 		{
@@ -1746,6 +1759,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				VolumeLifecycleModes: []storage.VolumeLifecycleMode{
 					storage.VolumeLifecyclePersistent,
 				},
+				SELinuxMount: &seLinuxMount,
 			},
 		},
 		{
@@ -1758,6 +1772,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				VolumeLifecycleModes: []storage.VolumeLifecycleMode{
 					storage.VolumeLifecycleEphemeral,
 				},
+				SELinuxMount: &seLinuxMount,
 			},
 		},
 		{
@@ -1771,6 +1786,7 @@ func TestCSIDriverValidation(t *testing.T) {
 					storage.VolumeLifecycleEphemeral,
 					storage.VolumeLifecyclePersistent,
 				},
+				SELinuxMount: &seLinuxMount,
 			},
 		},
 		{
@@ -1785,6 +1801,7 @@ func TestCSIDriverValidation(t *testing.T) {
 					storage.VolumeLifecyclePersistent,
 					storage.VolumeLifecycleEphemeral,
 				},
+				SELinuxMount: &seLinuxMount,
 			},
 		},
 		{
@@ -1795,6 +1812,18 @@ func TestCSIDriverValidation(t *testing.T) {
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &storageCapacity,
 				FSGroupPolicy:     &supportedFSGroupPolicy,
+				SELinuxMount:      &seLinuxMount,
+			},
+		},
+		{
+			// SELinuxMount: false
+			ObjectMeta: metav1.ObjectMeta{Name: driverName},
+			Spec: storage.CSIDriverSpec{
+				AttachRequired:    &attachNotRequired,
+				PodInfoOnMount:    &notPodInfoOnMount,
+				RequiresRepublish: &notRequiresRepublish,
+				StorageCapacity:   &storageCapacity,
+				SELinuxMount:      &notSELinuxMount,
 			},
 		},
 	}
@@ -1811,6 +1840,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				AttachRequired:  &attachRequired,
 				PodInfoOnMount:  &podInfoOnMount,
 				StorageCapacity: &storageCapacity,
+				SELinuxMount:    &seLinuxMount,
 			},
 		},
 		{
@@ -1819,6 +1849,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				AttachRequired:  &attachNotRequired,
 				PodInfoOnMount:  &notPodInfoOnMount,
 				StorageCapacity: &storageCapacity,
+				SELinuxMount:    &seLinuxMount,
 			},
 		},
 		{
@@ -1828,6 +1859,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				AttachRequired:  nil,
 				PodInfoOnMount:  &podInfoOnMount,
 				StorageCapacity: &storageCapacity,
+				SELinuxMount:    &seLinuxMount,
 			},
 		},
 		{
@@ -1837,6 +1869,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				AttachRequired:  &attachNotRequired,
 				PodInfoOnMount:  nil,
 				StorageCapacity: &storageCapacity,
+				SELinuxMount:    &seLinuxMount,
 			},
 		},
 		{
@@ -1846,6 +1879,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				AttachRequired:  &attachNotRequired,
 				PodInfoOnMount:  &podInfoOnMount,
 				StorageCapacity: nil,
+				SELinuxMount:    &seLinuxMount,
 			},
 		},
 		{
@@ -1858,6 +1892,7 @@ func TestCSIDriverValidation(t *testing.T) {
 				VolumeLifecycleModes: []storage.VolumeLifecycleMode{
 					"no-such-mode",
 				},
+				SELinuxMount: &seLinuxMount,
 			},
 		},
 		{
@@ -1868,6 +1903,16 @@ func TestCSIDriverValidation(t *testing.T) {
 				PodInfoOnMount:  &notPodInfoOnMount,
 				FSGroupPolicy:   &invalidFSGroupPolicy,
 				StorageCapacity: &storageCapacity,
+				SELinuxMount:    &seLinuxMount,
+			},
+		},
+		{
+			// no SELinuxMount
+			ObjectMeta: metav1.ObjectMeta{Name: driverName},
+			Spec: storage.CSIDriverSpec{
+				AttachRequired:  &attachNotRequired,
+				PodInfoOnMount:  &notPodInfoOnMount,
+				StorageCapacity: &storageCapacity,
 			},
 		},
 	}
@@ -1892,6 +1937,8 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 	requiresRepublish := true
 	notRequiresRepublish := false
 	notStorageCapacity := false
+	seLinuxMount := true
+	notSELinuxMount := false
 	resourceVersion := "1"
 	old := storage.CSIDriver{
 		ObjectMeta: metav1.ObjectMeta{Name: driverName, ResourceVersion: resourceVersion},
@@ -1904,6 +1951,7 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 				storage.VolumeLifecyclePersistent,
 			},
 			StorageCapacity: &storageCapacity,
+			SELinuxMount:    &seLinuxMount,
 		},
 	}
 
@@ -1933,6 +1981,12 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 				new.Spec.StorageCapacity = &notStorageCapacity
 			},
 		},
+		{
+			name: "SELinuxMount changed",
+			modify: func(new *storage.CSIDriver) {
+				new.Spec.SELinuxMount = &notSELinuxMount
+			},
+		},
 	}
 	for _, test := range successCases {
 		t.Run(test.name, func(t *testing.T) {
@@ -2041,6 +2095,12 @@ func TestCSIDriverValidationUpdate(t *testing.T) {
 				new.Spec.StorageCapacity = nil
 			},
 		},
+		{
+			name: "SELinuxMount not set",
+			modify: func(new *storage.CSIDriver) {
+				new.Spec.SELinuxMount = nil
+			},
+		},
 	}
 
 	for _, test := range errorCases {
@@ -2061,12 +2121,14 @@ func TestCSIDriverStorageCapacityEnablement(t *testing.T) {
 		podInfoOnMount := true
 		requiresRepublish := true
 		storageCapacity := true
+		seLinuxMount := false
 		csiDriver := storage.CSIDriver{
 			ObjectMeta: metav1.ObjectMeta{Name: driverName},
 			Spec: storage.CSIDriverSpec{
 				AttachRequired:    &attachRequired,
 				PodInfoOnMount:    &podInfoOnMount,
 				RequiresRepublish: &requiresRepublish,
+				SELinuxMount:      &seLinuxMount,
 			},
 		}
 		if withField {
@@ -2260,8 +2322,65 @@ func TestCSIServiceAccountToken(t *testing.T) {
 		test.csiDriver.Spec.AttachRequired = new(bool)
 		test.csiDriver.Spec.PodInfoOnMount = new(bool)
 		test.csiDriver.Spec.StorageCapacity = new(bool)
+		test.csiDriver.Spec.SELinuxMount = new(bool)
 		if errs := ValidateCSIDriver(test.csiDriver); test.wantErr != (len(errs) != 0) {
 			t.Errorf("ValidateCSIDriver = %v, want err: %v", errs, test.wantErr)
 		}
 	}
 }
+
+func TestCSIDriverValidationSELinuxMountAlpha(t *testing.T) {
+	tests := []struct {
+		name              string
+		featureEnabled    bool
+		seLinuxMountValue *bool
+		expectError       bool
+	}{
+		{
+			name:              "feature enabled, nil value",
+			featureEnabled:    true,
+			seLinuxMountValue: nil,
+			expectError:       true,
+		},
+		{
+			name:              "feature enabled, non-nil value",
+			featureEnabled:    true,
+			seLinuxMountValue: utilpointer.Bool(true),
+			expectError:       false,
+		},
+		{
+			name:              "feature disabled, nil value",
+			featureEnabled:    false,
+			seLinuxMountValue: nil,
+			expectError:       false,
+		},
+		{
+			name:              "feature disabled, non-nil value",
+			featureEnabled:    false,
+			seLinuxMountValue: utilpointer.Bool(true),
+			expectError:       false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.SELinuxMountReadWriteOncePod, test.featureEnabled)()
+			csiDriver := &storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{Name: "foo"},
+				Spec: storage.CSIDriverSpec{
+					AttachRequired:    utilpointer.Bool(true),
+					PodInfoOnMount:    utilpointer.Bool(true),
+					RequiresRepublish: utilpointer.Bool(true),
+					StorageCapacity:   utilpointer.Bool(true),
+					SELinuxMount:      test.seLinuxMountValue,
+				},
+			}
+			err := ValidateCSIDriver(csiDriver)
+			if test.expectError && err == nil {
+				t.Error("Expected validation error, got nil")
+			}
+			if !test.expectError && err != nil {
+				t.Errorf("Validation returned error: %s", err)
+			}
+		})
+	}
+}

pkg/features/kube_features.go

@@ -878,6 +878,7 @@ const (
 	// owner: @jsafrane
 	// kep: https://kep.k8s.io/1710
 	// alpha: v1.25
+	// beta: v1.27
 	// Speed up container startup by mounting volumes with the correct SELinux label
 	// instead of changing each file on the volumes recursively.
 	// Initial implementation focused on ReadWriteOncePod volumes.
@@ -1124,7 +1125,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 
 	NodeInclusionPolicyInPodTopologySpread: {Default: true, PreRelease: featuregate.Beta},
 
-	SELinuxMountReadWriteOncePod: {Default: false, PreRelease: featuregate.Alpha},
+	SELinuxMountReadWriteOncePod: {Default: true, PreRelease: featuregate.Beta},
 
 	InPlacePodVerticalScaling: {Default: false, PreRelease: featuregate.Alpha},
 

pkg/registry/storage/csidriver/storage/storage_test.go

@@ -50,6 +50,7 @@ func validNewCSIDriver(name string) *storageapi.CSIDriver {
 	podInfoOnMount := true
 	requiresRepublish := true
 	storageCapacity := true
+	seLinuxMount := true
 	return &storageapi.CSIDriver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: name,
@@ -59,6 +60,7 @@ func validNewCSIDriver(name string) *storageapi.CSIDriver {
 			PodInfoOnMount:    &podInfoOnMount,
 			RequiresRepublish: &requiresRepublish,
 			StorageCapacity:   &storageCapacity,
+			SELinuxMount:      &seLinuxMount,
 		},
 	}
 }
@@ -74,6 +76,7 @@ func TestCreate(t *testing.T) {
 	notPodInfoOnMount := false
 	notRequiresRepublish := false
 	notStorageCapacity := false
+	notSELinuxMount := false
 	test.TestCreate(
 		// valid
 		csiDriver,
@@ -85,6 +88,7 @@ func TestCreate(t *testing.T) {
 				PodInfoOnMount:    &notPodInfoOnMount,
 				RequiresRepublish: &notRequiresRepublish,
 				StorageCapacity:   &notStorageCapacity,
+				SELinuxMount:      &notSELinuxMount,
 			},
 		},
 	)

pkg/registry/storage/csidriver/strategy_test.go

@@ -40,6 +40,7 @@ func getValidCSIDriver(name string) *storage.CSIDriver {
 			PodInfoOnMount:    &enabled,
 			StorageCapacity:   &enabled,
 			RequiresRepublish: &enabled,
+			SELinuxMount:      &enabled,
 		},
 	}
 }
@@ -281,6 +282,7 @@ func TestCSIDriverValidation(t *testing.T) {
 					PodInfoOnMount:    &enabled,
 					StorageCapacity:   &enabled,
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			false,
@@ -296,6 +298,7 @@ func TestCSIDriverValidation(t *testing.T) {
 					PodInfoOnMount:    &disabled,
 					StorageCapacity:   &disabled,
 					RequiresRepublish: &disabled,
+					SELinuxMount:      &disabled,
 				},
 			},
 			false,
@@ -311,6 +314,7 @@ func TestCSIDriverValidation(t *testing.T) {
 					PodInfoOnMount:    &enabled,
 					StorageCapacity:   &enabled,
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			true,
@@ -329,6 +333,7 @@ func TestCSIDriverValidation(t *testing.T) {
 						storage.VolumeLifecycleMode("no-such-mode"),
 					},
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			true,
@@ -347,6 +352,7 @@ func TestCSIDriverValidation(t *testing.T) {
 						storage.VolumeLifecyclePersistent,
 					},
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			false,
@@ -365,6 +371,7 @@ func TestCSIDriverValidation(t *testing.T) {
 						storage.VolumeLifecycleEphemeral,
 					},
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			false,
@@ -384,6 +391,7 @@ func TestCSIDriverValidation(t *testing.T) {
 						storage.VolumeLifecycleEphemeral,
 					},
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			false,
@@ -400,10 +408,26 @@ func TestCSIDriverValidation(t *testing.T) {
 					StorageCapacity:   &enabled,
 					TokenRequests:     []storage.TokenRequest{{Audience: gcp}},
 					RequiresRepublish: &enabled,
+					SELinuxMount:      &enabled,
 				},
 			},
 			false,
 		},
+		{
+			"invalid SELinuxMount",
+			&storage.CSIDriver{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "foo",
+				},
+				Spec: storage.CSIDriverSpec{
+					AttachRequired:  &enabled,
+					PodInfoOnMount:  &enabled,
+					StorageCapacity: &enabled,
+					SELinuxMount:    nil,
+				},
+			},
+			true,
+		},
 	}
 
 	for _, test := range tests {

pkg/volume/util/hostutil/fake_hostutil.go

@@ -120,5 +120,6 @@ func (hu *FakeHostUtil) GetMode(pathname string) (os.FileMode, error) {
 // GetSELinuxMountContext returns value of -o context=XYZ mount option on
 // given mount point.
 func (hu *FakeHostUtil) GetSELinuxMountContext(pathname string) (string, error) {
-	return "", errors.New("not implemented")
+	// This pretends the OS does not support SELinux.
+	return "", nil
 }

staging/src/k8s.io/api/storage/v1/generated.proto

@@ -209,6 +209,7 @@ message CSIDriverSpec {
   //
   // Default is "false".
   //
+  // +featureGate=SELinuxMountReadWriteOncePod
   // +optional
   optional bool seLinuxMount = 8;
 }

staging/src/k8s.io/api/storage/v1/types.go

@@ -412,6 +412,7 @@ type CSIDriverSpec struct {
 	//
 	// Default is "false".
 	//
+	// +featureGate=SELinuxMountReadWriteOncePod
 	// +optional
 	SELinuxMount *bool `json:"seLinuxMount,omitempty" protobuf:"varint,8,opt,name=seLinuxMount"`
 }

staging/src/k8s.io/api/storage/v1beta1/generated.proto

@@ -210,6 +210,7 @@ message CSIDriverSpec {
   //
   // Default is "false".
   //
+  // +featureGate=SELinuxMountReadWriteOncePod
   // +optional
   optional bool seLinuxMount = 8;
 }

staging/src/k8s.io/api/storage/v1beta1/types.go

@@ -430,6 +430,7 @@ type CSIDriverSpec struct {
 	//
 	// Default is "false".
 	//
+	// +featureGate=SELinuxMountReadWriteOncePod
 	// +optional
 	SELinuxMount *bool `json:"seLinuxMount,omitempty" protobuf:"varint,8,opt,name=seLinuxMount"`
 }

test/e2e/storage/csi_mock/csi_selinux_mount.go

@@ -45,7 +45,7 @@ var _ = utils.SIGDescribe("CSI Mock selinux on mount", func() {
 	f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
 	m := newMockDriverSetup(f)
 
-	ginkgo.Context("SELinuxMount [LinuxOnly][Feature:SELinux][Feature:SELinuxMountReadWriteOncePod]", func() {
+	ginkgo.Context("SELinuxMount [LinuxOnly][Feature:SELinux]", func() {
 		// Make sure all options are set so system specific defaults are not used.
 		seLinuxOpts1 := v1.SELinuxOptions{
 			User:  "system_u",

test/e2e/storage/testsuites/disruptive.go

@@ -207,26 +207,26 @@ func (s *disruptiveTestSuite) DefineTests(driver storageframework.TestDriver, pa
 	}
 	multiplePodTests := []multiplePodTest{
 		{
-			testItStmt: "Should test that pv used in a pod that is deleted while the kubelet is down is usable by a new pod when kubelet returns [Feature:SELinux][Feature:SELinuxMountReadWriteOncePod].",
+			testItStmt: "Should test that pv used in a pod that is deleted while the kubelet is down is usable by a new pod when kubelet returns [Feature:SELinux].",
 			runTestFile: func(ctx context.Context, c clientset.Interface, f *framework.Framework, pod1, pod2 *v1.Pod) {
 				storageutils.TestVolumeUnmountsFromDeletedPodWithForceOption(ctx, c, f, pod1, false, false, pod2, e2epod.VolumeMountPath1)
 			},
 		},
 		{
-			testItStmt: "Should test that pv used in a pod that is force deleted while the kubelet is down is usable by a new pod when kubelet returns [Feature:SELinux][Feature:SELinuxMountReadWriteOncePod].",
+			testItStmt: "Should test that pv used in a pod that is force deleted while the kubelet is down is usable by a new pod when kubelet returns [Feature:SELinux].",
 			runTestFile: func(ctx context.Context, c clientset.Interface, f *framework.Framework, pod1, pod2 *v1.Pod) {
 				storageutils.TestVolumeUnmountsFromDeletedPodWithForceOption(ctx, c, f, pod1, true, false, pod2, e2epod.VolumeMountPath1)
 			},
 		},
 		{
-			testItStmt:            "Should test that pv used in a pod that is deleted while the kubelet is down is usable by a new pod with a different SELinux context when kubelet returns [Feature:SELinux][Feature:SELinuxMountReadWriteOncePod].",
+			testItStmt:            "Should test that pv used in a pod that is deleted while the kubelet is down is usable by a new pod with a different SELinux context when kubelet returns [Feature:SELinux].",
 			changeSELinuxContexts: true,
 			runTestFile: func(ctx context.Context, c clientset.Interface, f *framework.Framework, pod1, pod2 *v1.Pod) {
 				storageutils.TestVolumeUnmountsFromDeletedPodWithForceOption(ctx, c, f, pod1, false, false, pod2, e2epod.VolumeMountPath1)
 			},
 		},
 		{
-			testItStmt:            "Should test that pv used in a pod that is force deleted while the kubelet is down is usable by a new pod with a different SELinux context when kubelet returns [Feature:SELinux][Feature:SELinuxMountReadWriteOncePod].",
+			testItStmt:            "Should test that pv used in a pod that is force deleted while the kubelet is down is usable by a new pod with a different SELinux context when kubelet returns [Feature:SELinux].",
 			changeSELinuxContexts: true,
 			runTestFile: func(ctx context.Context, c clientset.Interface, f *framework.Framework, pod1, pod2 *v1.Pod) {
 				storageutils.TestVolumeUnmountsFromDeletedPodWithForceOption(ctx, c, f, pod1, true, false, pod2, e2epod.VolumeMountPath1)